Re: [exim] A decent acl example please!

Top Page

Reply to this message
Author: Sebastian Nielsen
Date:  
To: exim-users
Subject: Re: [exim] A decent acl example please!
Here is a excerpt from my configuration that you can look through, and
possible use parts of.

Remember to replace all instances of my domain with yours.




hostlist relay_from_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1
auth_advertise_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1
domainlist local_domains =
sebbe.eu:[185.86.106.232]:[193.187.91.106]:[2001:470:dff1:1:10::1]:[2001:470
:dff1:1:10::2]:dns1.sebbe.eu:dns2.sebbe.eu:mx.sebbe.eu:185.86.106.232:193.18
7.91.106


acl_check_mail:

  accept
    authenticated = *
    senders = ^(sebastian|postmaster|abuse)@sebbe\\.eu\$
    hosts = +relay_from_hosts
    set acl_m0 = authorizedrelay


## This one ensures you need a valid password AND a valid IP to relay. Thus
hacked passwords is a no go here.
## Combined with auth_advertise_hosts, it will also not even offer
authentication to invalid hosts.
## This also requires sender adress to be within the local domain to be
considered authenticated relay,
## else this rule is never triggered, authorizedrelay isn't set and any
valid authenticated emails but with a sender of like
RolexWatches@??? will also get rejected.


  deny
    message = 5.7.14 You can't spoof the domains this server is authorative
for
    sender_domains = ^(?i).*(sebbe\\.eu)\$ : +local_domains


## Prevents anyone from sending a email with a sender that is local to the
server in question, if they aren't authorized to do so (ergo logged in and
have right IP)

  deny
    message = 5.7.1 Local users must authenticate
    hosts = +relay_from_hosts


## Prevents anyone that is already local network, from sending without
authenticating.

  deny
    message = 5.4.6 That would create a mail loop
    sender_domains = localhost : ^\\[127.* : ^.*\\.local : ^.*\\.localdomain
: ^.*\\.localhost : ^127\\..*



## Prevent crude form of mail loops.

  deny
    message = 5.7.0 Banned TLD
    sender_domains =
^(?i).*\\.(app|accountant|accountants|auto|berlin|bid|camera|car|cars|christ
mas|click|club|college|computer|country|cricket|date|design|download|email|f
aith|fun|gdn|global|guru|help|host|jetzt|kim|life|link|loan|media|men|mom|ne
ws|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|re
n|rent|review|rocks|science|security|shop|site|solutions|space|storage|store
|stream|study|tech|technology|theatre|today|top|trade|university|uno|vip|viv
idal|wang|webcam|website|win|work|works|world|xin|xyz|zip)\$



## TLD ban. Bans a lot of TLDs in sender adress. Those TLDs are the ICANN
new garbage shit that are 100% spam sources.

  deny
    message = 5.1.8 Sender verification failed
    !verify = sender


## Basic sender verification. (Does MX exist etc)

  accept
    condition = ${if eq {$sender_address}{}{yes}{no}}


## Auto-accept the blank sender adress.

  deny
    message = 5.7.23 SPF fail (phishing) -
(${sg{${sg{$spf_smtp_comment}{http\:\/\/www\.open-spf\.org\/Why}{https:\/\/w
ww.sebbe.eu\/spf.cgi}}}{&receiver=sebbe\.eu}{}})
    log_message = SPF check failed: ($spf_header_comment)
    spf = fail : softfail



## Reject all SPF=softfail and all SPF=hardfail messages.

accept




acl_check_rcpt:
  deny
    local_parts = ^[./|] : ^.*[\\\\@\$%`#&?/|] : ^.*/\\.\\./ : ^.*x24 :
^.*0.44
    message = 5.1.7 Restricted characters in address


## Prevent certain security holes.

  deny
    message = 5.4.6 That would create a mail loop
    domains = localhost : ^\\[127.* : ^.*\\.local : ^.*\\.localdomain :
^.*\\.localhost : ^127\\..*


## Prevent some crude mail loops.

  accept
    condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}
    control = submission/sender_retain
    control = dkim_disable_verify


## If message is authorized relay - ergo authenticated and right IP, accept
it through at RCPT stage too.

  require
    message = 5.7.1 Relay not permitted
    domains = +local_domains


## Message must be to a local mailbox if its not authenticated.

  require
    verify = recipient


## Basic recipient reachability check.

accept



acl_check_data:

  warn
    remove_header = date
    remove_header = subject
    add_header = Date: $tod_full
    add_header = Subject:
${rfc2047:${length_100:${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${s
g{${sg{${sg{$h_subject:}{\\xE5}{\\xA5}}}{\\xC4}{\\x84}}}{\\xD6}{\\x96}}}{\\x
C5}{\\x85}}}{\\xF6}{\\xB6}}}{\\xE4}{\\xA4}}}{\N[^a-zA-Z0-9\xA5\xA4\xB6\x85\x
84\x96
!"\@#\$%&\/\{(\[)\]=\}?+\\\-_:.;,*><|^~]\N}{}}}{\N([\xA5\xA4\xB6\x85\x84\x96
])\N}{\\xC3\$1}}}{    }{ }}}{   }{ }}}{  }{ }}}{^ }{}}}{ \$}{}}}}



## Scrub email. This replaces the Date header with a valid one, so if a mail
has its date set to 1970-01-01 the email doesn't get pushed to the very
bottom of the inbox.
## Also shortens subjects to 100 characters and removes invalid characters,
preventing certain bugs and quirks in Microsoft Outlook with subjects.

 deny
    message = 5.6.0 Message headers fail syntax check
    !verify = header_syntax


## Basic header check.

  deny
    message = 5.6.0 No verifiable sender address in message headers
    !verify = header_sender


## Basic header check.

  deny
    message = 5.6.0 Missing MIME From header
    condition = ${if def:h_from:{no}{yes}}


## Basic header check.

  deny
    message = 5.7.14 You can't spoof the MIME From this server is
authorative for
    condition = ${if match
{$h_from:}{(?i)@([a-zA-Z0-9_.\\-]*\\.)?(sebbe\\.eu)}{yes}{no}}
    condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}


## If email is not a authorized relay, MIME From: header can't be within the
local server's domain.

  deny
    message = 5.7.1 Authorized relayed messages MUST have a local MIME From
    condition = ${if match {$h_from:}{^"?(Sebastian Nielsen|Microsoft
Outlook)"? <(sebastian|abuse|postmaster)@sebbe\\.eu>\$}{no}{yes}}
    condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}


## If email IS authenticated relay, the MIME From MUST be within the local
domain, so if any bots from local computer attempts to send, they must also
use the local domain and cannot spoof.

  deny
    message = 5.7.0 Banned TLD in MIME From
    condition = ${if match
{$h_from:}{^(?i).*\\.(app|accountant|accountants|auto|berlin|bid|camera|car|
cars|christmas|click|club|college|computer|country|cricket|date|design|downl
oad|email|faith|fun|gdn|global|guru|help|host|jetzt|kim|life|link|loan|media
|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realt
or|reise|ren|rent|review|rocks|science|security|shop|site|solutions|space|st
orage|store|stream|study|tech|technology|theatre|today|top|trade|university|
uno|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip)>\$}{ye
s}{no}}


## same TLD ban as above, but this for MIME From. Bans a lot of TLDs in
sender adress. Those TLDs are the ICANN new garbage shit that are 100% spam
sources.

accept



Hope you like it.
Best regards, Sebastian Nielsen


-----Ursprungligt meddelande-----
Från: Jacques B. Siboni via Exim-users <exim-users@???>
Skickat: den 1 juni 2020 18:54
Till: Jeremy Harris via Exim-users <exim-users@???>
Ämne: [exim] A decent acl example please!

dear colleagues


It seems there are many ways to configure the acl part of exim4. I have
tried
many options but, so far I can't get rid of spammers using our smtp to send
spam
mails. (I receive a lot of spam mails as well but this nuisance I can deal
with.)

Can some of you can send a decent example of acl config solving most of the
problems encountered. I signal I have already added the spf record, a dkim
signature and dmarc data.

But nonetheless I believe some bots manage to pass through the net.

exim4 version is 4.93-16 on debian

Thanks in advance

Jacques

--
Jacques B. Siboni mailto:jacsib@Lutecium.org
8 pass. Charles Albert, F75018 Paris, France
Tel: +33 142 287 678 Port: +33 612 536 959
Home Page: http://jacsib.lutecium.org/
Lutecium pages: http://www.lutecium.org



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/